Docker container which includes Shellinabox and enables SSH connections to arbitrary (not where installed) servers
It's a web ssh proxy. If deployed on certain server it can transform it to web ssh client. It is for remote ssh connections, not for the connection to the same server where it's deployed. See Shellinabox if you want to have just web ssh server on the same server you want connect to.
It is distributed in the form of Docker container which includes Shellinabox and python wrapper script and enables remote connections to arbitrary servers. It's based on the original Shellinabox and the idea of ssh client invocation.
The project includes next features (both IPv4 and IPv6 are OK):
The code doesn't support DNS names for servers because It involves ambiguity in name-to-ip resolution and it's not my case, basically. The container is as basic as can be and doesn't include extra authentication and limitations. For an open environment usage it is recommended to place nginx as a reverse proxy ahead of it and implement additional authentication and other restrictions (I believe that per-ip connection limit is the basic one).
The most basic usage involves to run docker container and specify allowed networks in CIDR format (use comma to separate them). By default gray networks are specified - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7)
docker run -d --privileged --security-opt seccomp=unconfined --name webshell -p 8018:80 -e ALLOWED_NETWORKS=0.0.0.0/0 bwsw/webshell
Navigate to http://hostname.com:8018/ to specify server ip, port and login interactively or
to use URL-based and default values
Private SSH keys which are stored in Vault must be Base64-encoded, e.g.
base64 ~/.ssh/id_rsa
Current implementation requires that for the Vault calling part either guarantees safety to show the token in URI or provides one time (limited) Vault token which doesn't fit for reuse.
Also, keep in mind, that the code creates temporary file for SSH identity file and removes it after SSH command invocation, so keep the docker container with bwsw/webshell secure. The feature involves potential security vulnerability, so the code must be audited properly by security engineers.
Ivan Kudryavtsev @ Bitworks Software, Ltd.
Published under Apache v2.0